Kiosk & VDI Breakout

---

Kiosk & VDI Breakout Logfile

thinclient kiosk citrix vdi virtualdesktop breakout logfile methodology

---

Test Details & Scope

---

• Project Number:

• Date of Test:

• Target List:

---

Test Accounts

---

user1:password1 admin1:password1

---

Legend

---

• • confirmed vulnerbility

• • no issue or false positive ! - warnings about issues or possible vulnerabilities ? - still needs checking

---

Pre Test Checks

---

• Check the SOW/quote for additional details on the test:

• Read all previous emails related to test:

• Check previous year’s report if exists:

• Ensure logging is enabled on all relevant tools:

---

Scanning

---

• nmap -Pn -p - -sSVC $target Start: End:

• nmap -sU —top-ports 200 $target Start: End:

• Manually investigate discovered services and exploit as proof of concept if possible.

In order to prepare the system for a Credentialed Nessus Scan some settings have to be configured. The batch scripts can be used to set up the correct settings and revert them after all scans are completed

• First run Setup.bat, then the PC will reboot.

• Perform a Nessus Advanced Scan with credentials (domain admin or default windows administrator)

• Perform a CIS Compliance Scan with credentials (use correct CIS profile for the OS in use)

• Run the Removal.bat

---

Local Configuration Checks

---

• Run Enumeration.bat file on the device and review.

• Check if CMD and Powershell are restricted

• If you are in a restricted environment (e.g. CitriX) try to escape.

• Try to download and install software (e.g. Python)

• Check if BitLocker is ON and if using TPM or Password (Password is recommended in case of stolen laptop)

• If Bitlocker is OFF and Secure BOOT is OFF you can access the files from a Live Linux USB: mkdir /mnt/target mount /dev/sdb1 /mnt/target

• Try to boot KALI from USB (if no bitlocker try accessing windows files)

• Are DMA ports, such as Thunderbolt3, FireWire, ExpressCard or PCI Card interfaces protected? (this is default on systems after Windows 10 version 1803)

• You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled

• If FireWire is available attempt FireWire physical memory manipulation: (http://seclist.us/inception-v0-4-1-is-a-physical-memory-manipulation-and-hacking-tool-exploiting-pci-based-dma.html)

• Is machine vulnerable to Paging file, crash dump, and Hyberfile.sys attacks? (if bitlocker on the answer is NO)

---

Boot/BIOS Checks

---

• Can you access the BIOS without a password?

• Can you change settings in the BIOS?

• If protected can you bypass and reset the BIOS? (google) (e.g. Clear CMOS/Remove Battery/Jumper..)

• Is a master / supervisor password set?

• Can you BOOT from other devices (e.g. USB)?

• Is SECURE BOOT enabled?

• Is any third party anti-theft system active? (e.g. COMPUTRACE)

---

Anti-Virus Checks

---

• Insert USB containing EICAR payload (check if AV finds the payload)

• Insert USB and check if you can READ / WRITE (also note any warnings)

• Try to download EICAR from browser

• Check if any malicious pages are blocked (whitelist/blacklist) in the browser (e.g. exploitdb.com)

• Browse to different filtered content here: http://www.sophostest.com/

• Check if AV is installed and updated

---

Secure Networking Checks

---

Check for LLMNR:

• See if EnableMulticast variable is present and not set to 0: Windows Server 2008: get-itemproperty -path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient”# Windows Server 2012: get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters”

---

Check for NBT-NS:

• Find instances where Netbios name resolution is enabled (TRUE) wmic nicconfig where TcpipNetbiosOptions=0 P.S. - the fix is: wmic nicconfig where (TcpipNetBiosOptions!=Null and TcpipNetbiosOptions!=2) call SetTcpipNetbios 2

---

Check for WPAD:

• Check Internet Explorer > Internet Options > Connections Tab > LAN Settings > Auto Detect EnabledSee if plaintext credentials storedCheck if wdigest is in use: get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages”

*Note: if Security Packages has a null value it won’t auto-complete, so you can run the command at \Lsa to double-check. *- See if plaintext storage is enabled (UseLogonCredential not equal to 0): (UseLogonCredential != 0): get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest”

---

Check for DLL pre-loading:

• See if CWDIllegalInDllSearch exists and is not set to 0: get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager”

---

Check for SMB Signing:

• Check server (requiresecuritysignature is not equal to 1) get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters”

• Check the client (requiresecuritysignature not set to 1) get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters”

---

Check for LM/NTLM hashing:

• Check if lmcompatibilitylevel does not equal 4,5: get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa”

---

Check for Kerberos DES Hashing

• Lookup supportedencryptiontypes (hex values differ): get-itemproperty -path “HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters”

Note supportedencryptiontypes does not exist (path is invalid in Server 2012)

---

Misc Checks

---

• WinPeas Privilege Escalation Checks: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

• Browse to http://sophostest.com Test site for Sophos web security and control products. Visit sophos.com for complete information.

• Check for useful information in Powershell history: %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt